Preparing for delegated administration

Before creating delegated administration roles, there are 2 key planning and setup tasks for the Super Administrator to perform:

  • Review and edit the Filter Lock, which blocks specified categories and protocols for managed clients in all delegated administration roles. By default, the Filter Lock blocks and locks several categories, so it is important to check the default settings against the requirements of your organization. (See Creating a Filter Lock.)
    • Filter Lock restrictions are automatically enforced for all filters created in or copied to a delegated administration role, and cannot be modified by the delegated administrator.
    • Delegated administrators can apply any action to categories and protocols not blocked and locked in the Filter Lock.
    • Changes to the Filter Lock are implemented for all managed clients as soon as the changes are saved. Delegated administrators who are working in the Forcepoint Security Manager when the changes take effect will not see the changes in their filters until the next time they log on.
    • Filter Lock restrictions do not apply to clients managed by the Super Administrator role.
  • Determine which Super Administrator policies and filters will be copied to each new role that you plan to create, and make adjustments to existing policies as needed.
    • By default, each role is created with a single Default policy, created from the Default category and protocol filter (not the Default policy) currently configured for the Super Administrator role.
    • Optionally, you can instead copy all policy objects (policies, filters, custom categories, and custom URLs) from the Super Administrator role to the new role. The delegated administrator then starts with a complete set of policies and policy components.
      • Copies of policies and filters in a delegated administration role are subject to the Filter Lock, and are therefore not identical to the same policies and filters in the Super Administrator role.
      • When the Unrestricted policy is copied, the policy and filter names are changed to reflect the fact that they are subject to the Filter Lock, and no longer permit all requests.

      Copying Super Administrator policy objects to a new role can take a very long time, depending on how much information must be copied.

Once these planning steps are completed, each of the following delegated administration components must be put into place:

  1. A Global Security Administrator creates administrator accounts on the Global Settings > Administrators page, and grant the accounts the appropriate level of Web module access.
  2. A Super Administrator creates delegated administration roles on the Policy Management > Delegated Administration page, then adds administrators and managed clients to the roles. See Managing delegated administration roles.
  3. The Super Administrator notifies the delegated administrators that they have been granted administrative access to the Forcepoint Security Manager, and explains their level of permissions. See Preparing delegated administrators.